DECISION SUMMARY
What happened
On 2 May 2025, the Irish Data Protection Commission announced the conclusion of a long-running cross-border inquiry into TikTok Technology Limited's transfers of European user data to staff and group entities located in mainland China. The decision imposed an administrative fine of €530 million, made up of a €485 million fine for the infringement of Article 46(1) GDPR (transfers without verifying essentially equivalent protection) and a €45 million fine for the infringement of Article 13(1)(f) (failure to provide adequate transparency to data subjects about the existence and nature of the transfers).
The inquiry was opened in September 2021, originally focused on TikTok's processing of children's personal data. As that inquiry developed, the DPC identified separate questions about TikTok's transfer practices, particularly the role of TikTok engineers and group personnel based in Beijing and Shanghai who required access to European user data for product development, content moderation and operational support. A separate transfer inquiry was opened, and the 2025 decision concludes that limb of the investigation. The 2023 €345 million decision (children's data) and the 2025 €530 million decision (China transfers) are distinct but related limbs of the broader regulatory engagement.
As lead supervisory authority under Article 56, the DPC circulated its draft decision to other concerned supervisory authorities. The Article 60 cooperation procedure resulted in reasoned objections from several authorities, primarily on the size of the fine and the scope of the corrective orders. The final fine amount reflects either consensus reached through the cooperation procedure or the outcome of any EDPB Article 65 binding decision invoked in the case.
What the DPC found
The DPC's core finding mirrors the legal architecture of the Meta 2023 decision but applied to a different third country. Article 46(1) GDPR requires that, in the absence of an adequacy decision under Article 45, a controller may only transfer personal data to a third country if it has provided appropriate safeguards and where enforceable rights and effective legal remedies are available. The Court of Justice in Schrems II (Case C-311/18) held that controllers must verify, in the specific context of the transfer, whether the law of the third country offers essentially equivalent protection, and must adopt supplementary measures or suspend the transfer where it does not.
The DPC assessed Chinese surveillance and data-access law against the Schrems II benchmark. The legal regime considered included the Cybersecurity Law (2017), the Data Security Law (2021), the Personal Information Protection Law (2021), the National Intelligence Law (2017) and the Counter-Espionage Law (2014, amended 2023). The DPC concluded that the combination of these instruments created government-access powers that were not subject to the limitations and safeguards required for essential equivalence: in particular, the scope of national-security access is broad, the role of independent judicial review is structurally limited, and effective remedies for European data subjects to challenge access are not generally available.
Given that legal assessment, TikTok's reliance on Standard Contractual Clauses for the China transfers was insufficient. The supplementary measures TikTok had put in place (logical access controls, encryption-in-transit, internal review procedures, the announced Project Clover infrastructure programme) did not fundamentally alter the position: where Chinese law gave authorities access powers that exceeded the Schrems II benchmark, contractual and technical measures could not deliver essential equivalence. The DPC found this constituted an ongoing infringement of Article 46(1) until such time as the transfers were either suspended or routed through infrastructure that genuinely prevented access by China-based personnel.
On the separate Article 13(1)(f) limb, the DPC found that TikTok's privacy notices did not adequately inform European users that their personal data could be accessed by personnel located in third countries (including China) under SCC arrangements, nor did they identify the third countries with sufficient specificity to enable a meaningful informed-choice assessment. This was a separate transparency infringement, fined at €45 million.
Why the fine was this size
Article 83(5) GDPR allows fines up to €20 million or 4% of total worldwide annual turnover for upper-tier infringements (which include Article 46 transfers and Article 13 transparency). ByteDance, TikTok's parent group, reported global revenue of approximately US$110 billion in 2023, with European-segment revenue comprising a smaller but material share. The 4% statutory ceiling for the relevant undertaking is therefore in the multi-billion euro range, putting the €530 million combined fine well below the cap.
The Article 83(2) factors most likely treated as aggravating include: the scale of European users affected (approximately 150 million monthly active users in the EU at the time of the decision); the duration of the unlawful transfers (continuing from 2018 onwards on essentially the same legal basis); the previous DPC enforcement action against TikTok in 2023 (treated as a relevant prior infringement under 83(2)(e)); and the fundamental-rights significance of surveillance-enabling transfers. Mitigating factors plausibly include TikTok's cooperation with the inquiry, the announced Project Clover infrastructure programme, and the company's engagement with the EU AI Act and Digital Services Act compliance work in parallel.
The corrective order and Project Clover
The decision imposed a corrective order to suspend the relevant transfers within six months of the decision date, or to bring TikTok's processing operations into compliance with Chapter V GDPR. In practical terms, this meant TikTok had until November 2025 to ensure that European user data could no longer be accessed from China-based locations on the contested legal basis.
TikTok's response is anchored in Project Clover, a programme announced in March 2023 to establish three Three Crowns data centres in Norway (Hamar) and Ireland (Dublin), supported by a partnership with British cybersecurity firm NCC Group to provide independent monitoring of European user data flows. As of April 2026, Project Clover infrastructure is partly operational, with the Hamar and one Dublin facility in production and the second Dublin facility scheduled to come online. Whether the architecture satisfies the DPC's corrective order in substance (or only on paper) is part of the ongoing engagement between TikTok, the DPC and concerned supervisory authorities.
Appeal status and forward look
TikTok confirmed it would appeal both the fine and the corrective orders. The appeal will be heard by the Irish High Court under section 142 of the Data Protection Act 2018. Given the structural similarity to the Meta 2023 China-of-its equivalent (Schrems II applied to a non-US third country), the appeal is likely to focus on the DPC's assessment of Chinese law and on whether TikTok's supplementary measures (including Project Clover) were sufficient. Appeal proceedings against major DPC decisions have historically taken several years; the fine remains under appeal on this register pending resolution.
For controllers more broadly, the TikTok 2025 decision is a reminder that Schrems II is not US-specific. Any transfer to any third country (China, Russia, and any other jurisdiction with broad national-security access powers) requires the same documented transfer-impact assessment and substantive supplementary measures. The DPF adequacy decision covers only US imports; it does not affect the analysis for other third countries.